HOWTO open an electronic hotel-room lock without a key

Cody Brocious -- a Mozilla dev and security researcher -- presented a paper on a vulnerability in hotel-door locks last month at Black Hat. Many electronic hotel door-locks made by Onity have a small DC power-port that also supplies data beneath them. Brocious showed that if he plugs an Arduino into these locks, reads out the 24-bit number sitting there, and re-transmits it to them, some appreciable fraction of them (but not all of them) spring open.

Testing a standard Onity lock he ordered online, he’s able to easily bypass the card reader and trigger the opening mechanism every time. But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed: Only one of the three opened, and even that one only worked on the second try, with Brocious taking a break to tweak his software between tests.

Even with an unreliable method, however, Brocious’s work–and his ability to open one out of the three doors we tested without a key–suggests real flaws in Onity’s security architecture. And Brocious says he plans to release all his research in a paper as well as source code through his website following his talk, potentially enabling others to perfect his methods.

Brocious’s exploit works by spoofing a portable programming device that hotel staff use to control a facility’s locks and set which master keys open which doors. The portable programmer, which plugs into the DC port under the locks, can also open any door, even providing power through that port to trigger the mechanism of a door lock in which the battery has run out.

Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks


  1. What’s the point of releasing his research as well as source code here? Why not work with the manufacturer of these locks instead of placing the hotel staying public in danger? In other words, christ, what an asshole…

    1. He’s actually an employee of a company trying to push into the hotel room lock market. So his publishing the source code is most definitely a calculated move to smash his opposition’s reputation.

      1. For what it’s worth, UPM is dead in all but name; the plan is to release all source for the complete replacement system and turn it into a real open source project, but we’re still planning how to do that effectively.  I’ll be blogging about it in the future.

        1. You know what, that’s absolutely fair. I has previous assumed that your actions were on the behalf of an employer who was purely private-sector. 

          An open source project finding security weaknesses is something I can understand and support. Please ignore all my other comments.

      2. The linked article says he’s a former employee of a company that was trying to make a competing product, but ended up instead selling this hack to the Locksmith Institute.

    2. proof by blatant assertion:   the majority of companies contacted by a “hacker” warning them of a security hole in their product respond not by sensibly fixing the problem (and thanking the “hacker” for coming to them first and thus doing research for them) but instead lawyering-up to produce threats and gag-orders.

      whereas, this way this (technically cunning) guy might actually help to protect your kit in your hotel.

      1. Again…. this was pretty much reputation sabotage conducted by one hotel lock company on another. This isn’t exactly noble.

        1. who said anything about being noble?  assume this chap had nothing but the foulest self-serving intent, if you like.   but your original comment assumed he is “asshole” for not going to the manufacturer first and instead presenting his crack to the public at large, to which i provided one tenable reason that strategy might not work out so well in general.

          and i still think it’s a technically cunning crack to notably poor engineered security.  *i* wouldn’t have thought of trying that.

    3. It’s been fairly well established that well known companies don’t work with random 3rd party hackers that approach them.

      Also, he spent years on this, you should be appreciative of his time instead of calling him an asshole.

      Why? Because their are 10 more guys that would have immediately sold this for illegal reasons and not gone public at all. The guys that go public are heros, not assholes.

      1. That’s an awful lot of speculation you’ve got going there. All I know is that once he releases his source code into the wild, the bar to breaking and entering into hotel rooms will be drastically lowered and will most likely be exploited by people without the know how or patience to figure out this on their own.

      2. “Why? Because their are 10 more guys that would have immediately sold this for illegal reasons and not gone public at all.”

        Who says the 10 more guys didn’t already do just that?

  2. According to Brocious himself, it took him three years to reverse-engineer the system to achieve this result. This definitely wasn’t a quick hack.

    1. Indeed, though it’s a bit complicated.  While I worked on this for 3 years, only maybe a solid year to a year and a half was spent reversing, with the rest of it being spent on building our actual product (a web-based replacement for the Onity front desk system).  The lock protocol stuff was the last bit of it, and it was maybe 6 months of part-time work, including the time to teach myself the low-level hardware aspects of it.

      It’s been an interesting journey; gotta find something new to take apart.

  3. Haha oh my GAWRD! 

    Do you mean to say that with a lot of effort, highly technical and specialized equipment, and years of training in systems bypassing, an expert in computers and software can hack open an electronic, software based lock some of the time? 

    Good on him for finding it, but the fear in the linked article is a little much.

    Edit: after getting to the end of the linked article, it’s super hilarious:

    Brocious says he stumbled upon the the flaws in Onity’s locks while working as the chief technology officer for a startup called Unified Platform Management Corporation, which sought to compete with bigger players in the hotel lock industry by creating a universal front end system for hotels that used common lock technologies. Brocious was hired to reverse engineer hotel locks, and Onity was his first target. The discovery of Onity’s security vulnerabilities was entirely unintentional, he says.

    Priceless! So this is the “black hat”? A “mozilla dev and security researcher”, who is actually an employee of a company working to reverse engineer locks and find vulnerabilities in them so that his employer could use those vulnerabilities to push them out of the market. And his desire to publish all vulnerabilities online, INCLUDING the source code to his device, thus making his competitors’ locks vulnerable is somehow something noble and just?

    This is hilarious industry sabotage, dressed up with the language of hackers. And a conspicuous neckbeard.

    1. > A “mozilla dev and security researcher”, who is actually an employee of a company working to reverse engineer locks and find vulnerabilities in them so that his employer could use those vulnerabilities to push them out of the market. And his desire to publish all vulnerabilities online, INCLUDING the source code to his device, thus making his competitors’ locks vulnerable is somehow something noble and just?
      1) The goal was not to find vulnerabilities, but to figure out how the locks worked so we could interoperate with them.
      2) UPM is — for all intents and purposes — dead.  Onity isn’t a competitor of ours, since we aren’t doing business any longer.  In fact, everything is being open sourced in the nearish future (we’re trying to figure out the details and not leave our customers without support).

      Whether or not you think this work is noble and/or just (I personally wouldn’t use either of those words for this), it’s definitely not industry sabotage.  I have nothing to personally gain from this; had I released this info two years ago, I certainly couldn’t have said the same.

  4. I’ve worked with Saflok’s and VingCard’s RFID and magstrip readers. The newer models hotels are now installing don’t allow a plug-in programmer anymore. The lock programming devices communicate wirelessly with the locksets, and you have to be standing right in front of them. This means that you can’t give it a jump of power from the programming device to open the door.

    However, the study seems to be looking more into the fact that you can trick the device into thinking you’re using a master key, so this is still a possibilty.

    1. That’s meaningless if it’s just the same protocols over the wireless connection instead of the physical port.  In fact it’s worse because someone hanging out near a door for awhile with a concealed box is much less suspicious than the guy plugging some device into it. 

      It’s possible the companies have improved the security at the same time, but I would be completely unsurprised if most of their security hinges on being a proprietary protocol. 

  5. Note that the port in question is INSIDE the door. Which would mean you’d have to navigate your probe wire around the closed door and to that port.

    There are easier vulnerabilities to exploit.

    This is interesting, but not a significant security reduction as it stands… and I’m not convinced it can be turned into one. (He says, speaking as both programmer and locksmith.)

    1. The port is on the outside, just below the battery panel, on the bottom of the lock.  It’s what the hotel staff use to reprogram and open the locks themselves; no room access required.

    2. That’s what I thought at first glance, but I’m pretty sure it’s on the outside in the photo above… on the same side as the card reader. I think the hacker is on the room side of the door just for the sake of the photo.

  6. Cody, did you buy a programmer from Onity, or reverse-engineer its functionality using only the door lock?

    1. I got a portable programmer (and all the rest of my hardware — locks, encoders, etc) from a third party vendor; Onity won’t sell random bits of hardware to people AFAIK, and it’d be quite expensive either way.

      Every bit of reversing I did was black box, though; sit on the wire and capture data, then start emulating one side or the other.  Much simpler in this case than pulling firmware and going down to the code level.

      (Also, I can’t tell you how nice it is to see a technical question mixed in here.  So much more fun to answer than everything else.)

  7. Not sure the point.

    If someone wanted to gain entry to a hotel room, well, that’s easy in several other methods.

  8. Those hotel locks are much more easily defeated  with an ‘L’ shaped piece of stiff wire and a semi-flexible wire cable ‘noose’ attached. I watched a maintenance guy do it to get into a room when his master key-card and laptop access attempts were unsuccessful. 

  9. Once checked into a new hotel on the beach in Malibu that had only been open a week. Dropped off bags in the room and went downstairs for lunch. When I came back up my card wouldn’t open the door. Called downstairs and someone came up and tried every master card, etc and couldn’t get the door to open. Maintenance had to come up and take the door off its hinges. True story. 

    1.  How do you take the door off the hings from the outside? They’re normally on the inside.

  10. I work in a hotel with these kinds of locks.  Onity sent us an e-mail promising a firmware update in the near future.  So I’m looking forward to reprogramming every lock in the hotel one-by-one.

    1. Iiiiinteresting.  I’m looking forward to seeing what they come out with; I never found a functional programming interface on any of the circuit board revs I tested (though I didn’t test the ‘Advance’ HT locks), so I’m very curious as to how they’re going to do the update.  Regardless, good on them for making the effort; now to see how it pans out.

      As I detailed in the presentation, there are two sides to this: raw memory access, and broken crypto.  Fixing the raw memory access is /fairly/ easy (requires flashing (if possible) or replacing locks, and an update to the portable programmer (swap the EPROM or whole unit)), but fixing the broken crypto requires a *lot* more work.  I have this suspicion that only the former will happen, not the latter.

Comments are closed.